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EMORANDUM FOR DIRECTOR, NATIONAL RECONNAISSANCE OFFICE 
PRINCIPAL DEPUTY DIRECTOR, NATIONAL RECONNAISSANCE 
OFFICE 
DEPUTY DIRECTOR, NATIONAL RECONNAISSANCE OFFICE 
DIRECTOR, COMMUNICATIONS SYSTEMS DIRECTORATE/ 

CHIEF INFORMATION OFFICER 
DIRECTOR, OFFICE OF SECURITY AND COUNTERINTELLIGENCE 















































SUBJECT: (U) Final Report: Audit of the National Reconnaissance 
Office Cyber Incident Detection and Response 
(Project Number 2014-001 A) 


(U77POHQ). The National Reconnaissance Office (NRO) Office of 
Inspector General (OIG) report on the Audit of NRO Cyber Incident 
Detection and Response is attached. I am providing this report for 
the Communications Systems Directorate’s (COMM’s) and Office of 
Security and Counterintelligence’s (OS&CI’s) information and 
implementation of the recommendations. In implementing your proposed 
plans to address and resolve each recommendation, COMM and OS&CI are 
required to report via the TIER system on the status of actions taken 
and estimated completion dates. 








(U//FOUS_1 appreciate the courtesies extended to my staff during 
this audit. Please direct any questions you may have regarding this 
report td Auditor-in-Charge, at 
or Deputy Assistant Inspector General, at 
(secure). Please direct any questions you may have regarding corrective 


action qe toa OIG Follow-up Administrator, at 


dam G. Harris 
Inspector General 
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XECUTIVE SUMMARY 
(U) Audit of NRO Cyber Incident 
Detection and Response 



































(U) To view the full report, 
including the scope, 
methodology, results, and 
management comments, go to 



















































































https://corpstaff.svc.nto.ic.gov/oig 








(U) Why the OIG Did This Audit 


OND) Successful penetration or disruption of 

















NRO classified 
networks are high priority targets for our adversaries 























(UTFORQ) The OIG also found that the NRO} 














As an incentive for the NRO to improve 

cyber incident detection and response capabilities, the 
Fiscal Year 2014 Intelligence Authorization Act fenced 
from the NRO’s budget and directed the 


NRO to develop a strat n eid (U) What the OIG Recommends 
adctessee te (U7TFRYO) The OIG recommends the NRO take 


























(U//FONO) The OIG conducted this audit to determine 


the NRO: effectiveness in preventing, detecting, and 
responding to cyber incidents. Specifically, the OIG 
assessed whether the NRO has adequate controls in 
place to ensure cyber incidents on NRO networks and 
systems are detected and handled in accordance with 
applicable laws and regulations. (b)(1) (b)(1) 


lete list of recommendations can be founc(b)(3) 
b)(3 ee 
(U) - the OIG Found (b)(3) 


Appendix A. 
(U//FONQ) Overall, the NRO’s effectiveness in 
preventing, detecting, and responding to cyber incidents 














(U) Management Comments 








(U) The Director, Communications Directorate 
(D, COMM) and Director, Office of Security and 
Counterintelligence (D, OS&CI) reviewed a draft of this 
report and concurred with the findings and 








recommendations presented. The D,COMM = and 

(STNEY, D, OS&CI comments and plans meet the intent of the 
recommendations. As part of our follow-up process, we 
will monitor the status of the corrective action plans 
through full implementation. Complete copies of 























(b)(1) management comments can be found in Appendix F. 
(b)(3) 
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(U) OFFICE OF INSPECTOR GENERAL 


(U) Audit of the National Reconnaissance Office 
Cyber Incident Detection and Response 
(Project Number 2014-001 A) 


(U) INTRODUCTION 








( SNO National Reconnaissance Office (NRO) 








| 


(SNE) Prior NRO network security assessments have shown (b)(1) 




















ithe 2012 NRO Office of Inspector General (OIG) Audit of the 
NRO Enterprise Management of Cyber Incidents identified that the NRO 


| 
the NRO’s cyber incident detection a apabilities, the fiscal year (b)(1) 
(FY) 2014 Intelligence Authorization Act fence rom the NRO’s budget and direct¢®)(3) 


the NRO to develop a strategy and implementation plan that addresses the! 



































\(3) reporting of cyber incidents to Intelligence Community Security 
Coordination Center (IC SCC). 





(UIPOUQ) The OIG conducted this audit to determine the NRO’s effectiveness in 
preventing, detecting, and responding to cyber incidents. Federal guidance’ defines a cyber 
incident as any attempted or successful access to, exfiltration of, manipulation of, or impairment 
to the integrity, confidentiality, security, or availability of data, an application, or information 
system without lawful authority. The OIG also assessed whether the NRO has adequate controls 
in place to ensure cyber incidents on NRO networks and systems are detected and handled in 
accordance with applicable laws and regulations. 


(U) BACKGROUND 


(U) The Federal Information Security Management Act (FISMA) of 2002 sets forth a 
comprehensive framework for ensuring the effectiveness of security controls over information 
resources supporting federal operations and assets. With regard to cyber incident detection and 
response, FISMA requires each agency to implement an information security program that 
includes procedures for detecting, reporting, and responding to cyber incidents. Further, 

NSPD - 54/HSPD - 23 requires federal agencies to (1) increase efforts to coordinate and enhance 
the security of classified and unclassified networks; (2) increase the protection of the data on 
these networks; and (3) improve their capability to deter, detect, prevent, protect against, and 





' (U) National Security Presidential Directive (NSPD) — 54/Homeland Security Presidential Directive (HSPD) — 23 
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respond to threats against information systems and data. Appendix B provides a listing of 
policies and procedures applicable to NRO cyber incident detection and response functions. 


(U) Elements of Computer Network Defense 


(U) Computer Network Defense (CND) operations include actions taken to (1) prepare 
and protect; (2) monitor, detect, and analyze; and (3) respond to unauthorized activity within 
information systems and networks. Figure | below shows the CND elements. 


(U) Prepare and protect operations are the continuous day-to-day practices, capabilities, 
and procedures to manage the security of networks and systems. The preparation and protection 
nhase also inc 




















(U) Monitoring and detecting cyber incidents is a continuous process of identifying any 
unusual network or system activity that has the potential to adversely affect systems, networks, 
or operational missions. Monitoring and detection also provides situational awareness, attack 
sensing, and indications and warnings. The primary objectives for detecting cyber incidents are 
to ensure that all suspicious activity is identified and reported in a timely manner consistent with 
required reporting timelines to facilitate further analysis and ensure effective coordination with 
other organizations. 





(U) Once a cyber incident is detected, the ability to proactively respond to the 
unauthorized activity and events that might negatively impact the mission includes steps to 
prevent further damage, restore the integrity of affected systems, and implement follow-up 
strategies to prevent the incident from happening again. 


Pre-event 2 Post-Detection 





(U) Figure 1: Computer Network Defense Elements 


Figure is UNCLASSIFIED, Oo 
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(U) NRO Cyber Incident Detection and Response 


(U// O) The NRO Chief Information Officer (CIO) establishes the cyber incident 
detection and response policy. The CIO is also responsible for providing oversight of cyber 
incident handling and reporting to external entities. However, the CIO does not have a role in 
the execution of these activities. Execution of these activities is performed bv the 
Communications Systems Directorate (COMM), 














is 
responsible for all NRO information technology (IT) infrastructure and commoditized services to 
include incident detection and response, compute, storage, networks, and enabling commercial 
software. 




















(U//FO FODQ The was established in April 2014 to serve as the single NRO office 
responsible for providing unifi ed, comprehensive cyber ort for the NRO 

















IE).? Prior to the establishment of the the 

was responsible for the overall r incident detection and response 
function. With the implementation of the all of b resources for cyber defense and 
response transitioned to the Currently, the is chartered with 24 hours, 7 days a 
week monitoring of the NIE. As such, they are responsible for protecting, detecting. and 
responding to suspicious and unauthorized activity on or against the NIE. Th is also 
chartered to conduct scans of NRO networks, perform external security incident reporting with 
guidance from th and maintain the NRO 


Although the results of audit testing refer t¢ as the organization responsible for performing 
cyber incident detection and a with its standup, the nherited these 




































































responsibilities. As a result, the s responsible for performing cyber incident detection 
and response in the future. 





(U/PONQ) The Office of Security and Counterintelligence (OS&CI) also supports the 
NRO’s cyber incident and response efforts| | 




















* (UF ) Effective 15 September 2014, the Chief Information Office and Communications Systems Directorate 
(COMM) merged. With this merger, the Director, COMM assumed the Chief Information Officer designation. 
: (U/FORQ) The NIE is defined as the collection of all NRO-owned information and IT required to perform the 








NRO mission 











4a 
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(U) SCOPE AND METHODOLOGY 


(U) The OIG conducted this performance audit from January 2014 to September 2014 in 
accordance with generally accepted government auditing standards. Those standards require that 
the OIG plan and perform the audit to obtain sufficient, appropriate evidence to provide a 
reasonable basis for the findings and conclusions. The OIG assessed the internal controls 
deemed significant within the context of the audit objectives. The OIG believes that the 
evidence obtained provides a reasonable basis for the findings and conclusions based on the audit 
objective. 


(UTPORQ\ The OIG reviewed relevant laws and regulations, as well as Department of 
Defense (DoD), Office of Director of National Intelligence (ODNI), and NRO guidance, 
policies, and procedures. The OIG interviewed NRO personnel from CIO, COMM, OS&CI, and 
mission ground stations to understand their role in the NRO incident detection and response 
process. The OIG also met with personnel from the IC SCC and U.S. Cyber Command 
(USCYBERCOM) to understand their requirements and expectations for NRO cyber incident 
reporting. Additionally, the OIG met with personnel responsible for incident detection and 
response 




















to obtain an understanding of their operations 
and identified best practices. Since the inherited cyber incident detection and 
response responsibilities in April 2014, the OIG met wit personnel to discuss 
preliminary findings and recommendations and their plans to improve the CND security 
landscape. 











(UTPOBQLTo determine whether the NRO had adequate controls in place to prevent and 
detect cyber incidents, the OIG interviewed officials from the CIO and COMM to determine the 
NRO’s processes and procedures for 

| | The OIG compared the lists of networks provided by COMM 
and CIO to determine how consistently this information is tracked between the Directorates and 
Offices (Ds and Os). Further, the OIG obtained a list of, 


























lo 
determine whether monitori ilities 4 e maintain visibility into all NRO networks. 
The OIG also reviewed the o determine whether the NRO maintains 
adequate controls to prevent and detect cyber incidents. 











(U//PRQUO) In addition, the OIG reviewed the results of prior CIO network security 
assessments an reports for cvber incidents detected. The OIG reviewed these reports to 




















identify 























Further, the OIG interviewed representatives from the CIO and 
individual Ds and Os to obtain an understanding of the NRO’s 


























(U/TFORQ)To determine the effectiveness of the NRO’s response to cyber incidents, the 
OIG obtained a list of all cyber incident cases created b during calendar year (CY) 2013. 





From this list, the OIG selected a judgmental sample to determine the extent to which the NRO is 
reporting cyber incidents to IC SCC and USCYBERCOM. Although the findings of a 
judgmental sample cannot be projected, we believe that our sample provides a sufficient basis for 
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our audit findings and conclusions. The OIG also assessed the completeness and validity of the 
incident case data. Any information system data used by the auditors or included in this report 
for informational purposes was not audited. 





(U) PRIOR COVERAGE 
(U/7FOUE}a the NRO FY 2014 FISMA Evaluation Report, dated 5 September 2014, the 
OIG noted that the NRO and reporting 











process. This issue has been reported since the FY 2009. 


Ci ets Audit of the Enterprise Management of Cyber Incidents, dated 
15 June 2012, the DIG found that the NRO, 
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(b) (3). 
(U) AUDIT RESULTS 
(S7NQ The NRO cyber incident detection and response capability ig 
(b)(1) 
(b)(3) 
ell | 
(b)(1) 
(b)(3) 
(U/FOC®) Finding 1: The NRO 
(S//NE\The NRO| 
(b)(1) 
(b)(3) 
(U) Network Mapping 
SAE uiPouo) (b)(1) 
(b)(3) 




















5 z . 5 ‘ 3 
(U) Transport networks provide reliable communication sessions between computers. 
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“san In December 2013, the OIG issued the Audit of CIO Management of NRO 
Information echnology,| (b)(1) 























OF) (b)(1) 




















One) | during this 
audit, the OIG found it necessary to request a list of NRO networks from the ClO, COMM) 
and COM M to determine the extent of the NRO awareness of its universe of networks. 












































(b)(1) 
(b)(3) 
\Corporate Business Process 

Instruction (CBPI) 50-2E, Enterprise Defense-Cyber Incident Response, provides the NRO a 

uniform definition of “network”. It defines a network as a “collection of interconnected 

components, based on a coherent security architecture and design. This may include routers, 

hubs, cabling, telecommunications controllers, key distribution centers, and technical control 

devices.” 

(SINE) The OIG (b)(1) 
COMM The (b)(3) 






































As illustrated in Figure 2.| of the reported 



































Appendix C provides 
the networks reported by the CIO and COMM. 
































b 
b)(3 
ae ” 


(U) 
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(U) Figure 2; Common Networks Reported by COMM and CIO 
Figure is SE ORN 








ORNg) 
new information to the NRO. In October 2005, 
assessment identified Subsequently, ip) (1) 
CY 2007, the CIO} DG 





















































According to a CIO official, 


ORF) (b)(1) 












































(U) Recommendation #1 for the Director, COMM: 
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(U//FOU®) Management Response: The Director. COMM concurred with this 
recommendation. The Director, COMM! 




















A complete copy of the management 





comments is included in Appendix F. 
(U) Cyber Threat Assessments 


(SYNE) (b)(1) 














Cyber threat assessments are intended to provide a basis for improved risk 
management and strategic information assurance (IA) planning that consider both threats and 
vulnerabilities. 


























(U) Although it is the owner of Information Technology-Information Assurance- 
Information Management (IT-IA-IM), the CIO! | 
| JIC Standard (ICS) 502-01, 1C Computer Incident 
Response and Computer Network Defense, requires IC elements to conduct annual cyber threat 
assessments to identify and evaluate cyber threats to enterprise information systems, networks 


and shared IC resources. Further, ICD 502 Concept of Operations (CONOPS) | 


(S/ (b)(1) 















































(ONG) In addition to CIO cyber threat assessment efforts, personnel stated that 
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(U) Recommendation #2 for the Director, COMM: 

















(UFORQ) Management Response: The Director, COMM concurred with this 
recommendation. A complete copy of the management comments is included in 


Appendix F. 


(U) Vulnerability Scanning 
(SND) 
| CBPI 50-2E, 


Enterprise Defense — Cyber Incident Response, (b)(1) 












































(U) 
(STN Although CBPI 50-2E identifies hs the organization responsible for 





























1. (U) 
2. (U) (b)(1) 
3. (U) (b)(3) 
4. (U) 

5. U 

6 














. 
(U//FO historically, 
mission system owners h 
the mission. In addition, 
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(U) Mission Ground Stations 


ONG ae 

















(it) Table 1- Vulnerahility Seanned Svstems at ADK.C and ANE. 














Table is SNF 
(U//FONQ) The OIG discussed vulnerability scanning with personnel and they 
































(U) Recommendation #3 for the Director, COMM: 














(U//FO Management Response: The Director, COMM concurred with this 
recommendation. A complete copy of the management comments is included in 


Appendix F. 
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(U) Network Security Assessments 





(SMF) The NRO 


























(U/ QO) In January 2014, the CIO, 














established a framework, 














(U) Red Team 





Oar) The NRO Red Team) 























ieee 3) 














(U) Blue Team 





Getic NRO Blue Team, 























: (U/FOSQ) Red Team is a group of individuals authorized and organized to 




















'" (U//FOSR) Blue Team is responsible\ 
| 





[(ie., the Red Team). 
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supporting Business Plans and Operations (BPO) in June 2013; (b)(1) 
b)(3) 


however 
engineering efforts. 


(UTFOLQ) REBL activities 
































(U) Recommendation #4 for the Director, COMM: 
\ 














(U//F Management Response: The Director, COMM concurred with this 
recommendation. A complete copy of the management comments is included in 


Appendix F. 





(U) Recommendation #5 for the Director, OS&CI: 














re 





(U//F Management Response: The Director, OS&CI concurred with this findin 
and recommendation. OS&CI is currently i 
effort. A complete copy of the management comments is included in Appendix F. 








(U) Network Monitoring Strategy 


(SNE) The NRO| 
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(STTKUNE) (b)(1) 























(STNRE (b)(1) 





























(OPRQUO) While the OIG the 
NRO must ensure that institutional knowledge is-documented and shared amongst key 






































stakeholders (e.g., COMM and CIO leadership). leadership acknowledged that _, 
A seniol official 
__ Stated that| 











(U) Recommendation #6 for the Director, COMM: 

















(U//FQUO) Management Response: The Director, COMM concurred with this 
recommxndation. A complete copy of the management comments is included in 


Appendix F. 
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(b) (3). 
(b)(1) 
(b)(3) 
(U) Figure s| Assessment Results Briefing Dates 
Figure is SNREA con ammeae 
(UIPQUO) ICS 502-01 requires IC elements to report vulnerability assessment 
information, status, and results to the agency’s leadership. ICS 502-01 also requires IC elements 
to develop and maintain internal processes for elevating report on information system 
weaknesses, deficiencies, and/or vulnerabilities associated with reported incidents to the IC 
-_ senior leadership and stakeholders. Further, the ICD 502 CONOPS’ | 
(U//FOSQ) From 2008 to 2009) (b)(1) 
(b)(3) 
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[ 


(U) Acquisition Center of Excellence, Acquisition Resource Center Unclassified 
Webserver 














Briss the Acquisition Center of Excellence, Acquisition 
Resource Center (ARC) unclassified webserver 




















(S ) While NRO Directive 52-15, Risk and Vulnerability Assessments, Reviews and 
Updates, defines basic responsibilities | (b)(1) 


| (b)(3) 





















































(U) Recommendation #9 for the Director, COMM: 


U/FO 














(U//FO Management Response: The Director, COMM concurred with this 
recommendation. A complete copy of the management comments is included in 


Appendix F. 








se (STRAIN April 2014 the CIO issned Policy Note 2014-03 providing onidance on the nroner classification of [T__ 
vulnerabilities. 
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: NRO Cyber Incidents 


(U//EOSQ) The NRO! 












































(U// The IC SCC requires initial cyber incident reports be provided 


of the incident oc USCYBERCOM requires initial cyber incident reports be provided 
within a range of epending on the incident category. The OIG reviewed all) cyber 


incident reports the NRO reported to the IC SCC and USCYBERCOM from January 2013 
through February 2014. 















































(U//F ) 














According to the ODNI /ntelligence Community Incident Reporting Procedures, IC agencies 
should report category 1-8 cyber incidents and events on its TOP SECRET networks to the 
I 

















(UTPOUQ)| 








'° (U) The IC SCC is the IC CIO's executive agent to monitor and oversee the integrated defense of the IC 
information environment. The NRO is required to report cyber incident information associated with its TOP 
SECRET systems and networks to IC SCC. 

*° (U) The USCYBERCOM plans, coordinates, integrates, synchronizes, and conducts activities to direct the 
operations and defense of DoD information networks. The NRO is required to report cyber incident information 
associated with its systems and networks at the SECRET and below classification levels to USCYBERCOM. 

*! (U//FOUO) The IC SCC also requires reporting for any network that is funded through the National Intelligence 


Program. 
2 (U/FORQ) 
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Table is SNF 
aumuay 
50-ZE establisnes cyper 











incident-related responsibilities for the CIO, to include (1) providing oversight for the overall 
cyber-related incident handling and reporting process, and (2) providing guidance regarding 
external reporting of cyber-related incidents. Such CIO oversight would minimize inconsistent 
and untimely information in the reports provided to IC SCC and USCYBERCOM. 


(U/FONQ) The reporting and subsequent sharing of cyber incidents among the IC 
elements directly supports the building of trust and cooperation across the IC elements. 


























*3 (U) Appendix D provides a description of each cyber incident category. 
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(U) Recommendation #10 for the Director, COMM: 














(U//FQUO) Management Response: The Director, COMM concurred with this 
recomme?iation. A complete copy of the management comments is included in 


Appendix F. 
(U) Other Matter 

(SONQ The OIG noted inconsistencies with the external cyber incidents _renorts the 
NRO submitted to IC SCC and USCYBERCOM. Specifically, the OIG reviewed Soils 
provided to the IC SCC from January 2013 through February 2014 and found that] 
reports included language that refers to separate incidents that are completelv unrelated to the __ 




















(b)(1) 
(b)(3) 














| 


(UIFOKQ) The OIG also met with USCYBERCOM representatives to determine 
whether they had any concerns with the cyber incident reports provided by the NRO. They 
acknowledged that they are satisfied with the reporting of cyber incidents provided by the NRO. 
However, the OIG’s review of byber incident reports the NRO provided to 
USCYBERCOM between January 2013 and February 2014 showed that omitted vital 
details about the cyber incidents. With that said, opportunities exist for improvement with regard 
to USCYBERCOM reporting. 




















(UIFONG) The Chairman of the Joint Chiefs of Staff Manual 6510.01A, Jaformation 
Assurance and Cowiputer Network Defense Volume I Incident Handling Program, requires that 
cyber incident reports to USCYBERCOM contain specific technical details. However, most of 
the NRO cyber incidents reported to USCYBERCOM contained only a very brief description of 
the cyber incident, and omitted significant details that were available and should have been 
included. Figure 7 shows one cyber incident description in a report sent to USCYBERCOM 
compared to the description of the same cyber incident in an internal NRO report. 
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(U) Internal NRO Report 























——— 


(U) Figure 7: Comparison Between USCYBERCOM and Internal Report 
Figure is UNCLASSIFIED 








(U/ O) While IC SCC and USCYBERCOM did not express concern over the 


information contained in the NRO cyber incident reports, this is an opportunity for the NRO to 








take action to increase information sharing to contribute to an IC-wide operation. 
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(U) APPENDIX A: Summary of Recommendations 


(U// FOURS Effective 15 September 2014, the Chief Information Office and 
Communications Systems Directorate (COMM) merged. With this merger, the Director, COMM 
assumed the Chief Information Officer designation. Therefore, the recommendations that were 
to be addressed to the CIO prior to the merger are addressed to the Director, COMM. 


(U) Recommendation #1 for the Director, COMM: 





(UFO. 























(U) Recommendation #2 for the Director, COMM: 


(U/FOSO) 




















(U) Recommendation #3 for the Director, COMM: 
(U//FOUR), 


and ICD 502. 

















(U) Recommendation #4 for the Director, COMM: 








(U//FOBQ) 








| 


(U) Recommendation #5 for the Director, OS&CI: 


(UI/IFONO) 

















(U) Recommendation #6 for the Director, COMM: 


(U//PNUO) 
\ 


(U) Recommendation #7 for the Director, COMM: 
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(U) Recommendation #8 for the Director, COMM: 





(U/FOUQ) 














(U) Recommendation #9 for the Director, COMM: 





(U// UO) 











(U) Recommendation #10 for the Director, COMM: 








(U/FONQ) 
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(U) APPENDIX B: Policies Related to Computer Network Defense 


(U) Table 1. Computer Network Defense Policies 














Organization iption of Policies 








Federal Laws e The Federal Information Security Management Act of 2002 
requires each agency to develop and implement an agency-wide 
information security program that includes procedures for 
detecting, reporting, and responding to security incidents. 


e National Security Presidential Directive-54/Homeland Security 
Presidential Directive-23, Cybersecurity Policy, requires 
agencies to increase efforts to coordinate and enhance the 
security of their classified and unclassified networks; increase 
protection of the data on these networks; and improve their 
capability to deter, detect, prevent, protect against, and respond 
to threats against information systems and data. 








Director of National e Intelligence Community Directive (ICD) 502, Integrated 
Intelligence (DNI) Defense of the IC Information Environment, identifies the 
organizations engaged in computer network defense (CND) of 
the IC Information Environment and specifies their roles and 
responsibilities. 


e Intelligence Community Standard (ICS) 502-01, Computer 
Incident Response and Computer Network Defense, defines the 
baseline computer incident response responsibilities, 
capabilities, and supporting CND services in the intelligence 
community. 


e Intelligence Community Incident Reporting Procedures 
provides reporting procedures for cyber security incidents, 
events, outages, and data spillages, in support of ICD 502. 


e Intelligence Community Information Assurance Architecture 
describes information assurance (IA) capabilities necessary to 
provide agencies with the ability to counter increasingly 
sophisticated cyber threats. 


e Detailed Plan to Increase the Security of Classified Networks, 
details enterprise cybersecurity capabilities that include 
processes and services that enhance the security and situational 
awareness of classified networks. 
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Department of Defense |e DoD Directive 8500.1, /nformation Assurance, requires a 
(DoD) defense-in-depth approach to IA and to make appropriate use of 
IA infrastructures, including incident response. 


e DoD Directive 8530.1, Computer Network Defense, requires all 
DoD information systems and computer networks to be 
monitored in order to detect, isolate, and react to intrusions, 
disruption of services, or other incidents that threaten the 
security or function of DoD operations, DoD information 
systems or computer networks. 


e DoD Instruction 8500.2, Information Assurance 
Implementation, requires Heads of DoD Components to provide 
for vulnerability mitigation and an incident response and 
reporting capability. 


e Chairman of the Joint Chiefs of Staff Manual 6510.01 describes 
the DoD Incident Handling Program, the major processes that 
take place within the incident handling program, and the 
interactions with related U.S. Government computer network 
defense activities. 








National Reconnaissance |e Corporate Business Process (CBP) 50, /nformation Technology, 
Office (NRO) Information Assurance, and Information Management, directs 
the NRO to establish an Information Assurance Program 
including cyber incident detection and response capabilities. 


e Corporate Business Process Instruction (CBPD) 50-2E, 
Enterprise Defense — Cyber Incident Response, implements the 
cyber incident prevention and detection requirements outlined 
in CBP 50. These requirements include procedures to assess the 
damage and minimize the impact of cyber incidents, provide 
data to identify system vulnerabilities, and improve enterprise 
defenses and countermeasures. 


e NRO Directive (ND) 52-15, Risk and Vulnerability 
Assessments, Reviews, and Updates, directs the NRO to ensure 
the availability, integrity, authentication, confidentiality, and 
non-repudiation of information and information systems. This 
includes the 























roles and responsibilities, to include 
coordinating the assessment, prioritization, and remediation of 
vulnerabilities. 








e NRO Concept of Operations, 
outlines the process for the NRO to coordinate and leverage 
resources within the existing directorates and offices to 
establish the framework for an NRO Information Enterprise 
critical incident response and reporting capability. 
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National Institute for 
Standards and 
Technology (NIST) 





NIST Special Publication 800-61, Computer Security Incident 
Handling Guide, secks to assist organizations in mitigating the 
risks from computer security incidents by providing practical 
guidelines on responding to incidents effectively and efficiently. 
It includes guidance on establishing an effective incident 
response program, but the primary focus of the document is 
detecting, analyzing, prioritizing, and handling incidents. 


NIST Special Publication 800-94, Guide to Intrusion Detection 
and Prevention Systems, assists organizations in understanding 
intrusion detection system and intrusion prevention system 
technologies and in designing, implementing, configuring, 
securing, monitoring, and maintaining intrusion detection and 








prevention systems. 
Table is U//FOQO 
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(U) APPENDIX D: NRO Cyber Incident Events and Categories 


(U) Table 1. NRO Cyber Incident Events and Categories 





Category 


3 [Non-reportable| 

















































































































































































































































































































Description 





Root Level Intrusion: Unauthorized privileged access (administrative or root 
access) to a system. 








User Level Intrusion: Unauthorized non-privileged access (user-level 
permission) to a system. Automated tools, targeted exploits, or self-propagating 
malicious logic may also attain these privileges. 











Unsuccessful Activity Attempt: Attempt to gain unauthorized access to a 
system, which is defeated by normal defensive mechanisms. Attempt fails to 
gain access to the system (i.e., attacker attempted valid or potentially valid 
username and password combinations) and the activity cannot be characterized 
as exploratory scanning. Can include reporting of quarantined malicious code. 


Denial of Service: Activity that impairs, impedes, or halts the normal 
functionality of a system or network. 












Non-Compliance Activity: This category is used for activity that due to 
actions (either via configuration or usage), makes systems potentially vulnerable 
(e.g., missing security patches, connections across security domains, installation 


| of vulnerable applications, etc.). In all cases, this category is not used if an 


actual compromise has occurred. Information that fits this category is the result 


_| of non-compliance or improper configuration changes or improper handling by 


authorized users. 



















































































































































































































































































































































































































































































































































































8 [Initial] 








Reconnaissance: An activity (scan/probe) that seeks to identify a computer, an 
open port, an active service, or any combination thereof for later exploit. This 
activity does not directly result in a compromise. 


Malicious Logic: Installation of malicious software (e.g., Trojan, backdoor, 
virus, worm, etc.). 





Investigating: Activities that are potentially malicious or anomalous activity 
deemed suspicious and warrant, or are undergoing, further review. No incident 
will be closed out as a category 8. 











9 |Non-reportabie| 


10 [Non-reportable| 








Explained Anomaly: Activities that are initially suspected as being malicious 
in nature but after investigation, are determined not to fit the criteria for any of 
the other categories (e.g., systems malfunction, false positive, bad information, 
etc.). 











Misuse/Porn: Activities that are in breach of best security practices, NRO 
Acceptable Use Policy and/or contain blatant pornographic activity. 
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(U) APPENDIX E: Cyber Incident Details 





(U) Network Security Assessment 








(STPRK/NF)) (b)(1) 
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Psi F (b)(1) 
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NOFPORN 


NATIONAL RECONNAISSANCE OFFICE 
14675 Lee Road 
Chantilly, VA 20751-1715 





15 December 2014 


MEMORANDUM FOR INSPECTOR GENERAL 


SUBJECT: (U} Management Response to findings and recommendations 
contained in the Draft Audit of National Reconnaissance 
Office Cyber Incident Detection and Response Report 


REFERENCE: (0) Draft Audit of NRO Cyber Incident Detection and 
Response 2014-001 A 


(J) Thank you for the opportunity to review and comment on the 
Audit of the National Reconnaissance Office (NRO) Cyber Incident 
Detection and Response report. I have reviewed the report: and 
concurred with the findings and recommendations. 


(U} Please see our attached remediation plan which provides 
specific méasurable actions that will be taken to address concerns 





outlined in the Audit of NRO Cyber Incident Detection and Response 
report. 
{U) Please contact Acting Director, Policy and 











Governance Staff, at secure with any questions. 
ANU 
wy), 


ry S, Duncan 


Director, Communications Systems 
Directorate 





Attachment: 
(0) Audit of NRO Cyber Incident 
Detection and Response 
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(U) Audit of NRO Cyber Incident Detection and 
Response (Project Number 2014-007 A) 


Strategic Remediation Plan 
Recommendations 1 through 10 











Classified By| 
Derived From: INCG dated 20120213 
Declassify On: 25X1, 20391231 





NATIONAL RECONNAISSANCE OFFICE 














40 
SECRET//TAL /INOFORN 


Approved for Release: 2017/02/06 C05095359 


i eae 
Approved for Release: 2017/02/06 C05095359 
Unless noted, redaction? Bh Mild! 4 BUH RENCE TON 
(b) (3). 








SECRET// FORN 


(U) Audit of NRO Cyber Incident and Detection Response (Project #2014-0011 A) - Strategic Remediation Plan 
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(U) Audit of NRO Cyber Incident and Detection Response (Project #2014-0011 A) - Strategic Remediation Plan 


(U) Purpose 
(U) This document is intended to provide an overview of the approach to addressing areas of 


concern outlined in the Audit of NRO Cyber Incident and Detection Response Report. It will 
provide specific measurable actions that will be taken to address these concerns. 


(U) Background 


(STARSL/NF) From January 2014 to September 2014, the National Reconnaissance Office 
Inspector General completed Audit of NRO Cyber Incident Detection and Response in 
accordance with generally accepted government auditing standards. The OIG assessed the 
internal controls deemed significant within the context of the audit objectives. Overall, t 
OIG concluded that NRO’s cyber incident detection and response capabilit 



























































(b)(3) 
aii Finding 1: The NRO 
(S/TRXAF) (b)(1) 
(b)(3) 
_(U/7FO8@) Finding 2: The NRO 
(S/7 TNE) (b)(1) 
(b)(3) 




















: > STI 








ii) 





























4 
SECRET//TK/ RN 


42 
~~ SECRET/TALENT RE YHOLE/NOFORN—_ 


Approved for Release: 2017/02/06 C05095359 








Approved for Release: 2017/02/06 C05095359 





Qe 





Approved for Release: 2017/02/06 C05095359 





Approved for Release: 2017/02/06 C05095359 


Unless noted, redaction® Bf thd! LAGER BoB LIN URL ECIN 
(b) (3). 








SECRET/ FORN 


(U) Audit of NRO Cyber Incident and Detection Response (Project #2014-0011 A) - Strategic Remediation Plan 





6. (u//rdd0) 


























7. (U//FOQO) 

















8._(u//SOUO)) 





























9. (U/JPSLO) \ 


10.(U// FOUSL 




















Ad 
SECRET//TALEN E//NOFORN 


Approved for Release: 2017/02/06 C05095359 


—_ 
Approved for Release: 2017/02/06 C05095359 
Unless noted, redaction BY tthild/ Ad AAR ELLINUBES FION 
(b) (3). 








SECR NOFORN 


(U) Audit of NRO Cyber Incident and Detection Response (Project #2014-0011 A) - Strategic Remediation Plan 


(U) Activities, Milestones, Risks and Dependencies 


The following section provides specific milestones and deliverables related to each of the 
recommendations included in the audit report. 





(U) Finding 1: The NRO 
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1 1) Collection of interconnected components, based on a coherent security architecture and design. May 
include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control 
devices. (CNSSI 4009] 
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(UPAUO) Recommendation 3: 
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2 i// The NIE is defined as the collection of all NRO-owned information and IT required to perform the 
NRO mission. 
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(U/7FOUQ) Recommendation 4: 
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(UW) Audit of NRO Cyber Incident and Detection Response (Project 42014-0011 A) - Strategic Remediation Plan 











(U/FAYO) Finding 2: The NRC 























(U//FSYO) Recommendation 7: 
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(U//FSUO) Finding 3: NRO Cyber incidents 
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NATIONAL RECONNAISSANCE OFFICE 
14675 Lee Road 
Chantilly, VA 20181-17145 





18 November 2014 


MEMORANDUM FOR INSPECTOR GENERAL 
SUBJECT: 
Detection and Response (2014-001 A} 


The Office of Security and Counterintelligence {O88CI) concurs 


with the findings and recommendations identified in the draft report. 
The status and corrective action plan with milestones for completion 


of Recommendation #5 follows, 


Response to the Office of Inspecter General Recommendations 
Contained in the DRAFT Report, Audit of NRO Cyber Incident 
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OS6CI is currently 

















Martha K. C, 


Director, Office of Security 
and Counterintelligence 
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(U) APPENDIX G: Major Contributors to this Report 





Assistant Inspector General for Audits 


Deputy Assistant Inspector General for Information 
Technology Audits 


Auditor-in-Charge 
Auditor-in-Charge 

Auditor 

Quality Assurance Reviewer 
Quality Assurance Reviewer 
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